sctp: fix copying more bytes than expected in sctp_add_bind_addr Dmitry reported that sctp_add_bind_addr may read more bytes than expected in case the parameter is a IPv4 addr supplied by the user through calls such as sctp_bindx_add(), because it always copies sizeof(union sctp_addr) while the buffer may be just a struct sockaddr_in, which is smaller. This patch then fixes it by limiting the memcpy to the min between the union size and a (new parameter) provided addr size. Where possible this parameter still is the size of that union, except for reading from user-provided buffers, which then it accounts for protocol type. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 133800d1f0288b9ddfc0d0aded10d9efa82d5b8c [log] [tgz]
author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Tue Mar 08 10:34:28 2016 -0300
committer: David S. Miller <davem@davemloft.net> Tue Mar 08 15:04:08 2016 -0500
tree: fa156a2753d1c80c12910790cb12ddf6db7da30b
parent: e2857b8f11a289ed2b61d18d0665e05c1053c446 [diff] [blame]
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 5d6a03f..7fe971e 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c

@@ -1830,7 +1830,8 @@
 	/* Also, add the destination address. */
 	if (list_empty(&retval->base.bind_addr.address_list)) {
 		sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest,
-				SCTP_ADDR_SRC, GFP_ATOMIC);
+				   sizeof(chunk->dest), SCTP_ADDR_SRC,
+				   GFP_ATOMIC);
 	}
 
 	retval->next_tsn = retval->c.initial_tsn;
commit	133800d1f0288b9ddfc0d0aded10d9efa82d5b8c	[log] [tgz]
author	Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>	Tue Mar 08 10:34:28 2016 -0300
committer	David S. Miller <davem@davemloft.net>	Tue Mar 08 15:04:08 2016 -0500
tree	fa156a2753d1c80c12910790cb12ddf6db7da30b
parent	e2857b8f11a289ed2b61d18d0665e05c1053c446 [diff] [blame]